Cannot Intospect reference token by other client

Question

I have IDS4 (resource ids) with users on single host

options.ApiName = "ids";
options.ApiSecret = "secret";

and client (clientId cl1) with PasswordFlowCredentials. Client has scope ids.

When I get JWT token with login-password by cl1 I have access to controllers on ids. But if I get reference token I cannot access.

Introspection endpoint return 401 because client_id=ids but token from cl1. token=15cf93dd255db79a46141c9403f86a71f81d797b2e7649bdd56e10f860c9afde&client_id=ids&token_type_hint=access_token&client_secret=secret

Token content from PersistedGrants (short)


    {"CreationTime":"2019-01-11T11:12:37Z","Lifetime":900000,"AccessToken":
    {"Audiences":
    ["https://localhost:5000/resources","ids"],
    "Issuer":"https://localhost:5000","CreationTime":"2019-01-11T11:12:37Z",
    "Lifetime":90000,"Type":"access_token","ClientId":"cl1",
    "AccessTokenType":1,"Claims":
    [{"Type":"client_id","Value":"cl1","ValueType":"http://www.w3.org/2001/XMLSchema#string"},
    {"Type":"scope","Value":"ids","ValueType":"http://www.w3.org/2001/XMLSchema#string"},
    {"Type":"sub","Value":"5eb745a6-21ab-4f69-941d-0295f9a9e468","ValueType":"http://www.w3.org/2001/XMLSchema#string"},

Where is error?

How can I validate reference token?

Make Makeluv Make Makeluv · Accepted Answer · 2019-01-14T10:14:04

client_id in introspection request is not client_id. There is must be Resource Id from [dbo].[ApiResources] and secret from [dbo].[ApiSecrets]

Cannot Intospect reference token by other client

1 Answers